Section 21

Section 21 is the licensing gateway for India's Certifying Authority regime. Only entities that obtain a licence from the CCA under this section may legally issue Electronic Signature Certificates in India. The licensing criteria — prescribed through the IT (Certifying Authority) Regulations — are stringent: financial stability, technical infrastructure meeting PKI security standards, audited key management procedures including Hardware Security Modules (HSMs), disaster recovery systems, and appropriate professional indemnity insurance. The non-transferability requirement in Section 21(3)(b) is important: a CA licence cannot be sold, assigned, or inherited — if a licensed CA is acquired, the acquirer must obtain its own licence. This prevents the trust built around a CA's reputation from being transferred to a new entity that has not met the licensing criteria. Currently, six entities hold active CCA licences in India: eMudhra, Sify Technologies, NSDL e-Governance Infrastructure, (n)Code Solutions (GNFC), CDAC, and IDRBT. Operating as a CA without a valid licence is penalised under Section 42 of the IT Act.